Here are a few hints to help with the completion of some basic local Linux eploits from exploit exercises. If you haven't downloaded the virtual machine yet, go grab it now from the nebula exploit exercises page and get started now.
For this exercise we'll look for a binary executable with the setuid flag set. The reason for this is because these bits don't have any effect on directories or scripts like bash (shell), perl, or python for example.
Security impactThe setuid feature can be very useful in many cases. However, improper use can pose a security risk. An example would be a program that isn't carefully designed and could allow an attacker to take advantage of this flag being set.
With that, if we can find a binary executable with the setuid flag set it will automatically execute with the privileges of the file's owner. In this case we're hoping to find a something that will execute as flag00.
How to locateThe best way to locate binary executables with a setuid bit is to use the find command.
Below is an example of how to use find to locate the file.
$ find / -perm /u=s -user flag00work your magic...
For this one we are given the code to analyze. It's helpful to know how Linux locates executables and follows symbolic links to solve it though.
Let's have a look at the code:
If you haven't, look up the PATH variable and learn a little about what it is and how it's used in the Linux system.
In Linux (and other Unix-like operating systems) there's an environment variable PATH, which is a delimited list of directories that the shell searches for executable files.
Once we know the above information, it's possible to recognize that the program has a vulnerability in the way it invokes echo. With this information we're ready to start.
Create your own version of echo (I did this using a symbolic link to getflag) and make sure the shell finds yours before it finds the real echo.
For this level we are again given the code so it's easy to see what's going on. This programmer is getting wise to us updating the PATH so our bin directory is found first. They still left a little something for us though, pay special attention to how the program gets the username.
From the last exercise remember the environment variable PATH. Take a look at the other environment variables available and see if it's possible to update it in such a way that getflag will be executed.
As it says crontab runs every few minutes; from checking the script in flag03's home directory we can see what's happening just find a way to exploit it
I choose to just create a simple shell script:
[redacted]
but I'm thinking another interesting thing would be to create a setuid program and have the cron update everything so we having lasting permissions as flag03
In this level again, a knowledge of symbolic links is key
This level requires some knowledge of unix file permissions so you can snoop around for juicy looking files. Finally an understanding of how the SSH encryption and connection process works [1]
As said in the description a knowledge of how unix systems stored passwords; once that part is figured out. John the ripper can help with the rest.
To start cd to the flag07 directory and have a look at the files, from there it's possible to find enough information to get started. Now all that's left is to find a way to inject getflag.
Bonus hint:Make sure to properly URL encode
those pesky file permissions again, just poke around in flag08's home directory to see what juicy files we can get our eyes on.
Bonus hint:WireShark Analyze >follow >tcp
very interesting, after trying the usual exploits i stumbled across the possibility of doing something like this:
which works! However, after all that time I spent figuring that out it turns out 'flag09 -a' gives you the interactive command line as the flag09 user! Trivial from there...so simple yet for me; so hard to find
interesting, trying various things to solve this one and then... in my home directory there's a file called x. I go ahead and take a look in there and low and behold it seems to be a token. It worked to sign into flag10 but that's not how it was supposed to go...
I'll have to work on finding the real way of exploiting this one
That's as far as I had time to get so far. I hope that you found these hints helpful without spoiling the fun.
Hints provided by bmcculley